0

Hi,

I am trying to creat a very simple session between 3 php pages as:index.php ,validate.php and target.php

index.php

<?php
session_start();
$_SESSION['uid'] = 'test';
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Start A Session</title>
</head>  
<body>

<h1>Welcome to Heaven</h1>
<form method="POST" action="validate.php">
Your Name: <input type="text" name="name" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

and validate.php as:

<?php
session_start();
$err="Not Allowed";

if(($_POST['name']) == $_SESSION['uid']){
header ("Location: heaven.php");}
else
{echo $err; }
?>

and finally target.php as

<?php
session_start();
?>

<!DOCTYPE HTML>
<html>
<head>
<title>Start Email with PHP</title>
</head>
<body>
<h1>Welcome to Targer <?php echo $_SESSION['uid'] ?></h1>
<img src="session.jpg">
</body>
</html>

Now my questions are:
1- How come user still can get access to target page while I have already set a seetion between pages(according to my understanding of sessions the target page must NOT be accessible unless the correct seesion value has beeb submitted)

2- I tried to validate the $_SESSSION value by using the isset() but it did'nt go through! can you please let me know how I can modify the validate.php using the isset() instead of if(($_POST['name']) == $_SESSION['uid']) comarison?

3- Can you please let me know how I can merge two (idex.php and validate.php) in one page? I mean how I can validate the session inside the index.php and reduce the files two index and target? In this case I need to handle the wronge logins inside the index page.

and finally,can you please let me know how I can assign the value to $_SESSION from user input? I mean instesd of having a hard coded part like $_SESSION['uid'] = 'test'; let the session value start with user input!.I know this looks meaningless here but I would like to get idae on creating captcha in same index page

Thanks for your time in advance

Edited by Behseini

4
Contributors
4
Replies
5
Views
5 Years
Discussion Span
Last Post by Biiim
0

Hi,

These are two different things that will never ever equal to each other, and will never validate to true.

if(($_POST['name']) == $_SESSION['uid'])

Because at the start of the session, you defined your session['uid'] as 'test'. Therefore, at the time that the form has been posted the condition above will validates to

if((SomeName) == (test))

and it is definitely equal to FALSE. However, this will work . Add another input to your form and then change your submit button code to this.

<input type= "hidden" name = "this_session" value = "<?php echo $_SESSION['uid'];?>"/>
<input type="submit" name = "submit" value="Submit" />

Change your if statement in validate.php to something like this.. triple validation, before anything could happen.

  if((isset($_POST['submit'])) && (($_POST['this_session'])== ($_SESSION['uid'])) && (!empty($_POST['name']))){

    ## do your redirect here..
   }

The above will validate if the submit button has been submitted, this_session is equal to the session['uid'], and the posted value of 'name' is not empty. So if the form has been properly filled, and the submission is not coming from some remote script (the session confirms that at least, but if a cookiejar is used in cURL, this form can be spoof without any problem).. the script validates to true. something like this in the parser's side

if((TRUE) && ((TRUE) == (TRUE)) && (!empty(TRUE))){

 ## validated to true and will execute everything below

}

Edited by veedeoo: more info added

0


stupid not showing an image, i'll write it for you

Edited by Biiim: test image

0

index.php

<?php
session_start();
$_SESSION['uid'] = 'test';
//$_SESSION['password'] = 'test';//password as well as name?
if(ISSET($_POST['submit']) && ISSET($_POST['name'])){
    //if($_POST['name'] == $_SESSION['uid']){
    if(ctype_alnum($_POST['name'])){
        $_SESSION['uid'] = $_POST['name'];
        $_SESSION['loggedin'] = true;
        header ("Location: heaven.php");
    }else{
        $errmsg = 'Not Allowed';
    }
}
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Start A Session</title>
</head>  
<body>
<h1>Welcome to Heaven</h1>
<?php 
if(ISSET($errmsg) && $errmsg != ''){
    echo $errmsg;
}
?>
<form method="POST">
Your Name: <input type="text" name="name" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

target.php

<?php
session_start();
if($_SESSION['loggedin'] !== true){
    header('Location: index.php');
}
?>
<!DOCTYPE HTML>
<html>
<head>
<title>Start Email with PHP</title>
</head>
<body>
<h1>Welcome to Targer <?php echo $_SESSION['uid'] ?></h1>
<img src="session.jpg">
</body>
</html>
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.